Cryptanalysis of a Multivariate Public Key Encryption Scheme with Internal Perturbation Structure

Recently, Wang et al proposed a new middle-field type scheme for multivariate public key encryption. There are three equations in the central map, so it is convenient to name it TH. They found that some linearization equations can be derived for TH and to overcome this defect, they combined the internal perturbation and plus methods to obtain an improved scheme which we call PTH+. They claimed that PTH+ can resist all known types of attacks, including differential attack, and to ensure it achieves a security level higher than 2(80), they suggested the parameter is taken as (l, r, m) = (47, 6, 11). In this paper, we show that TH has a much weaker structure than what is analyzed by the inventors and it can be totally cracked by linearization attack. For PTH+, we propose a method to reduce the attack against PTH+ to an attack on TH+ (a plus variant of TH) using the property on its differentials, which was originally regarded as impossible by that authors. The total complexity of our attack is 2(l+r+1)(2l)(w) approximate to 2(72), which is independent on the number m of the additional random quadratic equations by the plus method and disproves the claim in their original paper that the larger is the m, the securer is PTH+.